Professional Documents
Culture Documents
Tencent-Cloud 1007 36568 en
Tencent-Cloud 1007 36568 en
Tencent-Cloud 1007 36568 en
Certificate Installation
Product Documentation
Copyright Notice
Copyright in this document is exclusively owned by Tencent Cloud. You must not reproduce, modify, copy or distribute
in any way, in whole or in part, the contents of this document without Tencent Cloud's the prior written consent.
Trademark Notice
All trademarks associated with Tencent Cloud and its services are owned by Tencent Cloud Computing (Beijing)
Company Limited and its affiliated companies. Trademarks of third parties referred to in this document are owned by
their respective proprietors.
Service Statement
This document is intended to provide users with general information about Tencent Cloud's products and services
only and does not form part of Tencent Cloud's terms and conditions. Tencent Cloud's products or services are
subject to change. Specific products and services and the standards applicable to them are exclusively provided for in
Tencent Cloud's applicable terms and conditions.
Contents
Certificate Installation
Selecting an Installation Type for an SSL Certificate
Installation of International Standard Certificates
Installing an SSL Certificate on an Nginx Server
(
Installing an SSL Certificate on an Apache Server Linux )
Installing an SSL Certificate on an Apache Server (Windows)
Installing an SSL Certificate (JKS Format) on a Tomcat Server
Installing an SSL Certificate (PFX Format) on a Tomcat Server
Installing an SSL Certificate on a GlassFish Server
Installing an SSL Certificate on a JBoss Server
Installing an SSL Certificate on a Jetty Server
Installing a Certificate on IIS Servers
Installing a Certificate on WebLogic Servers
Certificate Installation
Selecting an Installation Type for an SSL
Certificate
:
Last updated 2021-07-07 14:42:22
Note :
Currently, 8 methods are available for installing a certificate.
Manual installation methods described above are for mainstream servers. For server types that are not listed, you can
use Tencent Cloud’s certificate installation service.
Overview
This document describes how to install an SSL certificate on an Nginx server.
Note :
The certificate name cloud.tencent.com is used as an example.
The Nginx version nginx/1.18.0 is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable the default HTTPS port 443 on the Nginx server so that HTTPS
can be enabled after the certificate is installed. For more information, see How Do I Enable Port 443 for a
VM?.
For more information about how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Preparations
Install the remote file copy tool such as WinSCP. The latest official version is recommended.
Install the remote login tool such as PuTTY or Xshell. The latest official version is recommended.
Install the Nginx service containing http_ssl_module module in the current server.
The data required to install the SSL certificate includes the following:
Item Description
Server IP address IP address of the server, which is used to connect the PC to the server.
Note :
For a CVM instance purchased on Tencent Cloud, you can log in to the CVM console to get the server IP
address, username, and password.
Directions
Installing the certificate
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select Nginx for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com_nginx folder.
Folder: cloud.tencent.com_nginx
Files in the folder:
cloud.tencent.com_bundle.crt : Certificate file
cloud.tencent.com_bundle.pem : Certificate file (optional)
cloud.tencent.com.key : Private key file
cloud.tencent.com.csr : CSR file
Note :
The CSR file is uploaded by you or generated online by the system and is provided to the certificate
authority (CA) when you apply for the certificate. It is not relevant to installation.
3. Log in to the Nginx server using WinSCP (a tool copying files between a local computer and a remote computer).
5. Log in to the Nginx server remotely with such a login tool as PuTTY.
6. Modify the conf/nginx.conf configuration file in the Nginx root directory as follows:
Note:
If you cannot find the following content, add it manually.
In this operation, you can edit the file by running vim /usr/local/nginx/conf/nginx.conf .
You may need to set the configuration file differently based on the Nginx version. For example, use
listen 443 ssl instead of listen 443 or ssl on for the version nginx/1.15.0 or
later.
server {
# The default SSL access port is 443
listen 443 ssl;
# Enter the domain name bound to the certificate
server_name cloud.tencent.com;
# Enter the relative or absolute path of the certificate file
ssl_certificate cloud.tencent.com_bundle.crt;
# Enter the relative or absolute path of the private key file
ssl_certificate_key cloud.tencent.com.key;
ssl_session_timeout 5m;
# Configure the following protocols
ssl_protocols TLSv1.2 TLSv1.3;
# Configure the cipher suite according to the OpenSSL standard
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
# Path to the website homepage. This example is for reference only. You need to
set it to the actual path.
# For example, if your website homepage is under the "/etc/www" path of the Ngi
nx server, change the "html" behind "root" to "/etc/www".
root html;
index index.html index.htm;
}
}
7. Run the following command in the Nginx root directory to check whether there is a problem with the configuration
file.
./sbin/nginx -t
8. Run the following command in the Nginx root directory to restart Nginx.
./sbin/nginx -s reload
1. Select one of the following configuration methods based on your actual needs:
Note:
Uncommented configuration statements can be configured as shown below.
You may need to configure the configuration file differently based on the Nginx version. For example,
use listen 443 ssl instead of listen 443 or ssl on for the version
nginx/1.15.0 or later.
server {
# The default SSL access port is 443
listen 443 ssl;
# Enter the domain name bound to the certificate
server_name cloud.tencent.com;
# Enter the relative or absolute path of the certificate file
ssl_certificate cloud.tencent.com_bundle.crt;
# Enter the relative or absolute path of the private key file
ssl_certificate_key cloud.tencent.com.key;
ssl_session_timeout 5m;
# Configure the cipher suite according to the OpenSSL standard
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD
5:!ADH:!RC4;
# Configure the following protocols
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
location / {
# Path to the website homepage. This example is for reference only. You need
to set it to the actual path.
# For example, if your website homepage is under the "/etc/www" path of the N
ginx server, change the "html" behind "root" to "/etc/www".
root html;
index index.html index.htm;
}
}
server {
listen 80;
# Enter the domain name bound to the certificate
server_name cloud.tencent.com;
# Redirect requests made to an HTTP domain name to HTTPS
return 301 https://$host$request_uri;
}
2. Run the following command in the Nginx root directory to check whether there is a problem with the configuration
file.
./sbin/nginx -t
3. Run the following command in the Nginx root directory to restart Nginx.
./sbin/nginx -s reload
Note :
If you experience any issues with the above steps, contact us.
Overview
This document describes how to install an SSL certificate on an Apache server.
Note :
The certificate name cloud.tencent.com is used as an example.
The Apache/2.4.6 version is used as an example. The default port is 80 . You can download it from
the Apache official website. If you need to use another version, please contact us.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable port 443 on the Apache server so that HTTPS can be enabled
after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?
For more information about how to upload SSL certificate files to a server, please see Copying Local Files to
CVMs.
Prerequisites
A remote file copy tool such as WinSCP has been installed. Please download the latest version from the official
website.
A remote login tool such as PuTTY or Xshell has been installed. Please download the latest version from the official
website.
The Apache service has been installed and configured on the current server.
The data required to install the SSL certificate includes the following:
Name Remarks
Server IP address IP address of the server, which is used to connect the PC to the server.
Note :
For a CVM instance purchased on Tencent Cloud, you can log in to the CVM console to get the server IP
address, username, and password.
Directions
Certificate Installation
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select Apache for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com_apache folder.
Folder: cloud.tencent.com_apache
Files in the folder:
root_bundle.crt : certificate file
cloud.tencent.com.crt : certificate file
cloud.tencent.com.key : private key file
CSR file: cloud.tencent.com.csr
Note :
The CSR file is uploaded by you or generated online by the system and is provided to the certificate authority
(CA) when you apply for the certificate. It is not relevant to installation.
3. Log in to the Apache server using WinSCP (a tool copying files between a local computer and a remote computer).
4. Copy the obtained certificate files root_bundle.crt and cloud.tencent.com.crt and the private key
file cloud.tencent.com.key from the local directory to the /etc/httpd/ssl directory of the Apache
server.
Note :
If the /etc/httpd/ssl directory does not exist, run mkdir /etc/httpd/ssl in the command line
to create it.
5. Log in to the Apache server remotely by using a login tool such as PuTTY.
Note:
For a newly installed Apache server, the conf.d , conf , and conf.modules.d directories are
under the /etc/httpd directory by default.
Note:
The directory structure varies by OS version. Please find files in accordance with the actual OS version.
If they cannot be found in the files above, check whether the mod_ssl.so module has been installed. If no,
run the yum install mod_ssl command to install it.
8. Edit the ssl.conf configuration file in the /etc/httpd/conf.d directory by modifying the following:
<VirtualHost 0.0.0.0:443>
DocumentRoot "/var/www/html"
# Enter the certificate name
ServerName cloud.tencent.com
# Enable SSL
SSLEngine on
# Path of the certificate file
SSLCertificateFile /etc/httpd/ssl/cloud.tencent.com.crt
# Path of the private key file
SSLCertificateKeyFile /etc/httpd/ssl/cloud.tencent.com.key
# Path of the certificate chain file
SSLCertificateChainFile /etc/httpd/ssl/root_bundle.crt
</VirtualHost>
9. Restart the Apache server and then you can access it through https://cloud.tencent.com .
You can redirect HTTP requests to HTTPS by configuring the following settings:
Note :
The directory structure varies by Apache version. For more information, see Apache Module
mod_rewrite.
httpd.conf is located in more than one directory. You can filter them by /etc/httpd/* .
3. Create a new *.conf file such as 00-rewrite.conf in /etc/httpd/conf.modules.d and add the following to it:
<Directory "/var/www/html">
# Add the following:
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Directory>
4. Restart the Apache server and then you can access it through http://cloud.tencent.com .
Note :
If you experience any issues with the above steps, please contact us.
Overview
This document describes how to install an SSL certificate on an Apache server.
Note :
The certificate name cloud.tencent.com is used as an example.
Apache version: Apache/2.4.53. The default port is 80 . You can download it here. If you need a different
version, contact us.
The current server OS is Windows Server 2012 R2. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable port 443 on the Apache server so that HTTPS can be enabled
after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?
For more information about how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Preparations
Install the Apache service on the current server.
The data required to install the SSL certificate includes the following:
Item Description
Server IP address IP address of the server, which is used to connect the PC to the server.
Note :
For a CVM instance purchased on Tencent Cloud, you can log in to the CVM console to get the server IP
address, username, and password.
Directions
Step 1. Upload the certificate file
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select Apache for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com_apache file.
Folder: cloud.tencent.com_apache
Files in the folder:
root_bundle.crt : certificate file
cloud.tencent.com.crt : certificate file
cloud.tencent.com.key : private key file
cloud.tencent.com.csr : CSR file
Note :
The CSR file is uploaded by you or generated online by the system and is provided to the certificate
authority (CA) when you apply for the certificate. It is not relevant to installation.
Note :
For upload instructions, see Uploading Files from Linux to Windows CVM using RDP.
root_bundle.crt
ssl.crt
cloud.tencent.com.crt
cloud.tencent.com.key ssl.key
1. Open the httpd.conf file in the conf directory of the Apache server with a text editor and delete the #
before the following fields.
2. Open the httpd-ssl.conf file in the conf\extra directory of the Apache server with a text editor as
shown below:
3. Modify the httpd-ssl.conf file and set the following field parameters to the paths of the uploaded certificate
files as shown below:
SSLCertificateFile "C:/apache/conf/ssl.crt/cloud.tencent.com.crt"
SSLCertificateKeyFile "C:/apache/conf/ssl.key/cloud.tencent.com.key"
SSLCACertificateFile "C:/apache/conf/ssl.crt/root_bundle.crt"
4. Restart the Apache server and then you can access it through https://cloud.tencent.com .
1. Open the httpd.conf file in the conf directory of the Apache server with a text editor and delete the #
before the following fields.
2. Configure the fields in the website running directory. For example, add the following content to the <directory
"c:="" xampp="" htdocs"=""> field:
<Directory "C:/xampp/htdocs">
RewriteEngine on
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^(.*)?$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</Directory>
3. Restart the Apache server and then you can access it through both http://cloud.tencent.com (which will
be automatically redirected to https://cloud.tencent.com ) and https://cloud.tencent.com .
Overview
This document describes how to install an SSL certificate (JKS format) on a Tomcat server.
Note :
The certificate name cloud.tencent.com is used as an example.
Tomcat 9.0.56 is used as an example.
The current server OS is Windows Server 2016 Chinese. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable port 443 on the Tomcat server so that HTTPS can be enabled
after the certificate is installed. For more information, please see How Do I Enable Port 443 for a VM?
For more information about how to upload SSL certificate files to a server, please see Copying Local Files to
CVMs.
Prerequisites
The Tomcat service has been installed and configured on the server.
The data required to install the SSL certificate includes the following:
Item Description
Server IP address IP address of the server, which is used to connect the PC to the server.
Note :
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to obtain the
server IP address, username, and password.
If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand
is Wotrus, the option to download the JKS certificate file is not provided. Instead, you need to manually
convert the format to generate a keystore as follows:
Access the conversion tool.
Upload the certificate and private key files in the Nginx folder to the conversion tool, enter the keystore
password, click Submit, and convert the certificate to a .jks certificate.
Directions
Certificate Installation
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select JKS for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com_jks folder.
Folder: cloud.tencent.com_jks
Files in the folder:
cloud.tencent.com.jks : keystore file
keystorePass.txt : password file (if you have set a private key password, this file will not be generated)
3. Copy the keystore file cloud.tencent.com.jks to the conf directory of the Tomcat installation directory.
4. Edit the server.xml file in the conf directory by adding the following:
Note :
To avoid format issues, you are not advised to copy the content of server.xml directly.
</Service>
</Server>
keystoreFile: location of the keystore file. You can specify an absolute path or a path relative to the
<CATALINA_HOME> (Tomcat installation directory) environment variable. If this parameter is not set, Tomcat
reads the file named ".keystore" from the user directory of the current OS user.
keystorePass: keystore password. If you set a private key password when applying for the certificate, enter the
private key password; otherwise, enter the password in the keystorePass.txt file in the Tomcat folder.
clientAuth: If it is set to true, Tomcat requires all SSL clients to provide a security certificate for identity verification.
If the Tomcat server is already started, you need to run the following .bat scripts in sequence in the bin
directory of the Tomcat installation directory to shut down and restart it:
If the Tomcat server is not started, you need to run the following .bat script in the bin directory of the Tomcat
installation directory to start it:
startup.bat
If the browser address bar displays the security lock logo, it means that the certificate is installed successfully.
If the website access is abnormal, you can refer to the following solutions to common problems:
You can redirect HTTP requests to HTTPS by configuring the following settings:
1. Edit the web.xml file in the conf directory of the Tomcat installation directory and find the
<\/welcome-file-list> tag.
<login-config>
<!-- Authorization setting for SSL -->
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Client Cert Users-only Area</realm-name>
</login-config>
<security-constraint>
<!-- Authorization setting for SSL -->
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
3. Edit the server.xml file in the Tomcat installation directory by changing the redirectPort parameter to
the port of the SSL connector, i.e., port 443, as shown below:
Note :
This change allows a non-SSL connector to redirect to an SSL connector.
4. Run the following .bat script in the /bin directory of the Tomcat installation directory to shut down the Tomcat
server:
shutdown.bat
5. Run the following command to confirm whether there is a problem with the configuration:
configtest.bat
6. Run the following .bat script to start the Tomcat server. In this way, you can access it through
https://www.tencentcloud.com/ .
startup.bat
Overview
This document describes how to install an SSL certificate (PFX format) on a Tomcat server.
Note :
The certificate name cloud.tencent.com is used as an example.
The tomcat9.0.40 version is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS.
If you need to install an SSL certificate (JKS format) on a Tomcat server, see Installing an SSL Certificate
(JKS Format) on a Tomcat Server.
Before you install an SSL certificate, enable port 443 on the Tomcat server so that HTTPS can be enabled
after the certificate is installed. For more information, please see How Do I Enable Port 443 for a VM?
For more information about how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Prerequisites
A remote file copy tool such as WinSCP has been installed. Please download the latest version from the official
website.
A remote login tool such as PuTTY or Xshell has been installed. Please download the latest version from the official
website.
The Tomcat service has been installed and configured on the server.
The data required to install the SSL certificate includes the following:
Item Description
Server IP address IP address of the server, which is used to connect the PC to the server.
Note :
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to obtain the
server IP address, username, and password.
Currently, the Tomcat server is installed in the /usr directory. For example, if the Tomcat folder name is
tomcat9.0.40 , /usr/*/conf is actually /usr/tomcat9.0.40/conf .
Directions
Certificate Installation
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select Tomcat for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com_tomcat folder.
Folder: cloud.tencent.com_tomcat
Files in the folder:
cloud.tencent.com.pfx : certificate file
keystorePass.txt : password file (if you have set a private key password, this file will not be generated)
3. Log in to the Tomcat server using WinSCP (a tool copying files between a local computer and a remote computer).
4. Copy the obtained cloud.tencent.com.pfx certificate file from the local directory to the /usr/*/conf
directory.
5. Remotely log in to the Tomcat server using a login tool such as PuTTY.
6. Edit the server.xml file in the /usr/*/conf directory by using either of the following methods as needed:
Note :
If you use method 1, Tomcat automatically selects an SSL implementation mode for you. If you are unable to
complete the subsequent configuration according to method 1, it may be because your environment does
not support the implementation mode. In that case, you can use method 2 to manually select an SSL
implementation mode based on your environment properties.
Modify the value of the Connector attribute in the server.xml file to the following:
port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="/usr/*/conf/cloud.tencent.com.pfx" # Path of the certificate file
keystoreType="PKCS12"
keystorePass="Certificate password" # Replace the value with the content in the
`keystorePass.txt` password file.
clientAuth="false"
SSLProtocol="TLSv1.1+TLSv1.2+TLSv1.3"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RS
A_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_1
28_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256"/>
keystoreFile: location of the certificate file. You can specify an absolute path or a path relative to the (Tomcat
installation directory) environment variable. If this parameter is not set, Tomcat reads the file named ".keystore"
from the user directory of the current OS user.
keystorePass: password in the password file, i.e., keystore password. If you have set a private key password
when applying for the certificate, enter the private key password; otherwise, enter the password in the
keystorePass.txt file in the cloud.tencent.com_tomcat folder.
clientAuth: If it is set to true, Tomcat requires all SSL clients to provide a security certificate for identity verification.
If the Tomcat server is not started, you need to run the following command in the /usr/*/bin directory to start
it.
./startup.sh
You can redirect HTTP requests to HTTPS by configuring the following settings:
1. Edit the web.xml file in the /usr/*/conf directory and find the <\/welcome-file-list> tag.
<login-config>
<auth-method>CLIENT-CERTauth-method>
<realm-name>Client Cert Users-only Arearealm-name>
login-config>
<security-constraint>
<web-resource-collection >
<web-resource-name >SSLweb-resource-name>
<url-pattern>/*url-pattern>
web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIALtransport-guarantee>
user-data-constraint>
security-constraint>
3. Edit the server.xml file in the /usr/*/conf directory by changing the redirectPort parameter to
the port of the SSL connector, i.e., port 443, as shown below:
port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
Note :
This change allows a non-SSL connector to redirect to an SSL connector.
4. Shut down the Tomcat server by running the following command in the /usr/*/bin directory:
./shutdown.sh
5. Run the following command to confirm whether there is a problem with the configuration:
./configtest.sh
6. Run the following command to start the Tomcat server. In this way, you can access it through
http://cloud.tencent.com .
./startup.sh
Overview
This document describes how to install an SSL certificate on a GlassFish server.
Note :
The certificate name cloud.tencent.com is used as an example.
GlassFish 4.0 is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable port 443 on the GlassFish server so that HTTPS can be
enabled after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?
For more information about how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Prerequisites
A remote file copy tool such as WinSCP has been installed. Please download the latest version from the official
website.
A remote login tool such as PuTTY or Xshell has been installed. Please download the latest version from the official
website.
The GlassFish service has been installed and configured on the current server.
The data required to install the SSL certificate includes the following:
Name Remarks
Server IP address IP address of the server, which is used to connect the PC to the server.
Note :
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to obtain the
server IP address, username, and password.
If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand
is Wotrus, the option to download the Tomcat certificate file is not provided. Instead, you need to manually
convert the format to generate a keystore as follows:
Access the conversion tool.
Upload the certificate and private key files in the Nginx folder to the conversion tool, enter the keystore
password, click Submit, and convert the certificate to a .jks certificate.
The GlassFish service is installed in the /usr/share directory.
Directions
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select Apache and JKS for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate files of the corresponding types, which include the
cloud.tencent.com_apache and cloud.tencent.com_jks folders.
Folder: cloud.tencent.com_apache
cloud.tencent.com.crt : certificate file
cloud.tencent.com.key : private key file
CSR file: cloud.tencent.com.csr
Note :
The CSR file is uploaded by you or generated online by the system and is provided to the certificate
authority (CA) when you apply for the certificate. It is not relevant to installation.
3. Remotely log in to the GlassFish server. For example, you can use PuTTY for remote login.
Note :
The default installation directory of the domain1 service is
/usr/share/glassfish4/glassfish/domains . Change the domain name after you execute
the change-master-password --savemasterpassword=true domain1 command.
The default password is changeit. Press Enter and enter the new password, which should be the
private key password you set when applying for the certificate.
If you haven’t set a private key password when applying for the certificate, enter the password of the
keystorePass.txt file in the cloud.tencent.com_jks folder.
5. In the /usr/share directory, run the mkdir temp command to create the temp folder.
6. Use WinSCP (a tool for copying files between a local computer and a remote computer) to log in to the GlassFish
server, and then copy the certificate file cloud.tencent.com.crt and the private key file
cloud.tencent.com.key from the local directory to the temp folder.
7. In the temp folder, run the following command to generate the PKCS12 file. When the system prompts you for a
password during the process, enter the new password, which is the private key password.
8. In the temp folder, run the ls -l command to check whether the PKCS12 file contains the certificate you
applied for.
9. In the temp folder, run the following command to generate the keystore.jks .
0. In the temp folder, run the following command to generate the cacert.jks file. When the system prompts
you for a password during this process, enter the new password, which is the private key password.
If the system asks whether to trust the certificate, enter yes as shown in the following figure.
11. Replace the keystore.jks and cacert.jks files in the domain1/config directory with the files
generated in steps 9 and 10.
12. In the /usr/share/glassfish4/glassfish/domains/domain1/config directory, change the port
numbers in the domain.xml file.
<network-listeners>
<network-listener port="80" protocol="http-listener-1" transport="tcp" name="http
-listener-1" thread-pool="http-thread-pool">network-listener>
<network-listener port="443" protocol="http-listener-2" transport="tcp" name="htt
p-listener-2" thread-pool="http-thread-pool">network-listener>
<network-listener port="4848" protocol="admin-listener" transport="tcp" name="adm
in-listener" thread-pool="admin-thread-pool">network-listener>
network-listeners>
3. Start the GlassFish server and then you can access the cloud.tencent.com website over the HTTPS
protocol.
Note :
If you experience any issues with the above steps, please contact us.
Overview
This document describes how to install an SSL certificate on a JBoss server.
Note :
The certificate name cloud.tencent.com is used as an example.
JBoss 7.1.1 is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable port 443 on the JBoss server so that HTTPS can be enabled
after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?
For more information about how to upload SSL certificate files to a server, please see Copying Local Files to
CVMs.
Prerequisites
A remote file copy tool such as WinSCP has been installed. Please download the latest version from the official
website.
A remote login tool such as PuTTY or Xshell has been installed. Please download the latest version from the official
website.
The JBoss service has been installed and configured on the current server.
The data required to install the SSL certificate includes the following:
Name Remarks
Server IP address IP address of the server, which is used to connect the PC to the server.
Note :
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to obtain the
server IP address, username, and password.
If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand is
Wotrus, the option to download the JKS certificate file is not provided. Instead, you need to manually convert the
format to generate a keystore as follows:
Access the conversion tool.
Upload the certificate and private key files in the Nginx folder to the conversion tool, enter the keystore
password, click Submit, and convert the certificate to a .jks certificate.
The JBoss service is installed in the /usr/local directory.
Directions
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select JKS for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com_jks folder.
Folder: cloud.tencent.com_jks
Files in the folder:
cloud.tencent.com.jks : keystore file
keystorePass.txt : password file (if you have set a private key password, this file will not be generated)
3. Remotely log in to the JBoss server. For example, you can use PuTTY for remote login.
4. In the /usr/local/jboss-7.1.1/standalone/configuration directory, run the mkdir cert
command to create the cert folder.
5. Use WinSCP (a tool for copying files between a local computer and a remote computer) to log in to the JBoss
server and copy the keystore file cloud.tencent.com.jks from the local directory to the cert folder.
6. In the /usr/local/jboss-7.1.1/standalone/configuration directory, change the port configuration
and add certificate configuration in the standalone.xml file.
Part 1:
<interfaces>
<interface name="management">
<inet-address value="${jboss.bind.address.management:127.0.0.1}"/>
</interface>
WITH_3DES_EDE_CBC_SHA,SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA,SSL_DHE_DSS_WITH_3DES
_EDE_CBC_SHA" protocol="TLSv1,TLSv1.1,TLSv1.2"/>
</connector>
<virtual-server name="default-host" enable-welcome-root="true">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
8. The certificate is deployed and you can access the server through https://cloud.tencent.com .
Note :
If you experience any issues with the above steps, please contact us.
Overview
This document describes how to install an SSL certificate on a Jetty server.
Note :
The certificate name cloud.tencent.com is used as an example.
Jetty 9.4.28.v20200408 is used as an example.
The current server OS is CentOS 7. Detailed steps vary slightly with the OS.
Before you install an SSL certificate, enable port 443 on the Jetty server so that HTTPS can be enabled
after the certificate is installed. For more information, see How Do I Enable Port 443 for a VM?
For more information about how to upload SSL certificate files to a server, please see Copying Local Files to
CVMs.
Prerequisites
A remote file copy tool such as WinSCP has been installed. Please download the latest version from the official
website.
A remote login tool such as PuTTY or Xshell has been installed. Please download the latest version from the official
website.
The Jetty service has been installed and configured on the current server.
The data required to install the SSL certificate includes the following:
Name Remarks
Server IP address IP address of the server, which is used to connect the PC to the server.
Note :
For a CVM instance purchased on the Tencent Cloud official website, log in to the CVM console to obtain the
server IP address, username, and password.
If you have selected the Paste CSR method when applying for the SSL certificate, or your certificate brand is
Wotrus, the option to download the JKS certificate file is not provided. Instead, you need to manually convert the
format to generate a keystore as follows:
Access the conversion tool.
Upload the certificate and private key files in the Nginx folder to the conversion tool, enter the keystore
password, click Submit, and convert the certificate to a .jks certificate.
The Jetty service is installed in the /usr/local/jetty directory.
Directions
1. Log in to the SSL Certificate Service console, and click Download for the certificate you need to install.
2. In the pop-up window, select JKS for the server type, click Download, and decompress the
cloud.tencent.com certificate file package to the local directory.
After decompression, you can get the certificate file of the corresponding type, which includes the
cloud.tencent.com_jks folder.
Folder: cloud.tencent.com_jks
Files in the folder:
cloud.tencent.com.jks : keystore file
keystorePass.txt : password file (if you have set a private key password, this file will not be generated)
3. Remotely log in to the Jetty server. For example, you can use PuTTY for remote login.
4. In the /usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc directory, run the mkdir
cert command to create the cert folder.
5. Use WinSCP (a tool for copying files between a local computer and a remote computer) to log in to the Jetty server
and copy the keystore file cloud.tencent.com.jks from the local directory to the cert folder.
6. In the /usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc directory, modify the
configuration in the jetty-ssl-context.xml file.
Note :
KeyStorePath: set the default value to the path of the certificate file.
KeyStorePassword: set the default value to the keystore password. If you have set a private key
password when applying for the certificate, enter the private key password; otherwise, enter the password
in the keystorePass.txt file in the cloud.tencent.com_jks folder.
KeyManagerPassword: set the value to the password in the keystorePass.txt file in the
cloud.tencent.com_jks folder.
TrustStorePath: set the default value to the certificate file path.
<Call name="addConnector">
<Arg>
<New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" deprecate
d="ssl.acceptors" default="-1"/></Arg>
<Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" deprecate
d="ssl.selectors" default="-1"/></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<!-- uncomment to support proxy protocol
<Item>
<New class="org.eclipse.jetty.server.ProxyConnectionFactory"/>
</Item>-->
</Array>
</Arg>
<Set name="host"><Property name="jetty.ssl.host" deprecated="jetty.host" /></Se
t>
<Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default
="443" /></Set>
<Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout" deprecated="ssl.
timeout" default="30000"/></Set>
<Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDel
ta" deprecated="ssl.acceptorPriorityDelta" default="0"/></Set>
<Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" deprecat
ed="ssl.acceptQueueSize" default="0"/></Set>
<Get name="SelectorManager">
<Set name="connectTimeout"><Property name="jetty.ssl.connectTimeout" default="1
5000"/></Set>
</Get>
</New>
</Arg>
</Call>
etc/jetty-ssl.xml
etc/jetty-ssl-context.xml
etc/jetty-https.xml
9. In the Jetty root directory, run the java -jar start.jar command to start the Jetty server and then you can
access it through https://cloud.tencent.com .
Notes
After the certificate is deployed, the following error message may be displayed when you access
https://cloud.tencent.com :
If the error message is displayed, copy the ROOT file from the /usr/local/jetty/jetty-distribution-
9.4.28.v20200408/demo-base/webapps directory to the /usr/local/jetty/jetty-distribution-
9.4.28.v20200408/webapps directory, and then restart the Jetty server.
Note :
If you experience any issues with the above steps, please contact us.
Scenarios
This document describes how to install an SSL certificate on an IIS server.
Note :
This document uses the certificate name cloud.tencent.com as an example. For your purposes,
please use the name used in your certificate.
This document takes Windows Server 2012 R2 as an example. The detailed steps may vary slightly
depending on the operating system.
Before you install an SSL certificate, enable port 443 on the IIS server so that HTTPS can be enabled after
the certificate is installed. For more information, see How do I enable port 443 for a server?.
To upload a SSL certificate to CVMs, see Copying Local Files to CVMs.
Directions
Certificate installation
1. Download the certificate package for the domain name cloud.tencent.com from the SSL Certificate Service
Console and decompress it to a local directory.
After decompression, you can get the certificate files of the relevant types, including the IIS folder and CSR file:
Note :
The CSR file is uploaded by you or generated online by the system when you apply for the certificate and is
provided to the CA. It is not relevant to installation.
2. Open the IIS Manager, select the computer name, and double-click Server Certificates to open it, as shown in the
following figure.
3. In the Actions column to the right of the Server Certificates window, click Import, as shown in the following
figure.
4. In the Import Certificate pop-up window, select the path where the certificate file is stored, enter the password,
and click OK, as shown in the following figure.
Note :
If you set a private key password when applying for the certificate, enter the private key password;
otherwise, enter the password in the keystorePass.txt file in the IIS folder.
If you forgot the private key password, please submit a ticket to ask Tencent Cloud engineers to delete
the certificate. You need to re-apply for the domain name certificate.
5. Select the name of a site under Sites and click Site Bindings in the Actions column on the right, as shown in the
following figure.
6. In the Site Bindings pop-up window, click Add, as shown in the following figure.
7. In the Add Site Binding window, set the site type to https, the port to 443, and the host name to the domain name
corresponding to the certificate, specify the corresponding SSL certificate, and click OK, as shown in the following
figure.
8. Once you made the addition, the new content will be available to view in the Site Bindings window, as shown in
the following figure.
9. Access https://cloud.tencent.com .
Note :
For normal redirect, edit the rule according to the following steps. If you have other needs, you can configure
as needed.
During the redirect from HTTP to HTTPS, if your website element contains external links or uses HTTP
protocol, it will cause the entire web page to not be completely based on HTTPS protocol. In this case, some
browsers may issue security warnings such as "this link is insecure". You can view the reason for the error
by clicking Details on message page.
Note :
Download and install the URL Rewrite module before proceeding to the following steps.
3. On the URL Rewrite page, click Add Rule(s) in the Actions column on the right, as shown in the following figure.
4. In the Add Rule(s) pop-up window, select Blank rule and click OK, as shown in the following figure.
Conditions: click to expand and click Add to pop up the Add Condition window.
Condition input: {HTTPS} .
Note :
If you experience any issues with the steps outlined above, please contact us.
Overview
This document describes how to install an SSL certificate on a WebLogic server.
Note :
The example certificate name used in this document is cloud.tencent.com . Please use the actual
name of the certificate applied to your environment.
The example WebLogic version used in this document is 14.1.1.
The example operating system used in this document is Windows Server 2012 R2. The operational steps
may vary slightly depending on the operating system.
Before installing an Weblogic certificate, enable port 443 on the WebLogic server so that HTTPS can be
enabled after the certificate is installed. For more information, see How do I Enable Port 443 for a VM?.
For details about how to upload SSL certificate files to a server, see Copying Local Files to CVMs.
Directions
Note :
The directories mentioned in the following steps are the directories of the test environment. Determine their
specific paths based on your actual environment and needs.
1. Download the certificate package for the domain name cloud.tencent.com from the SSL Certificate Service
console and decompress it to a local directory.
After decompression, you can obtain the certificate files of the relevant types, including the Tomcat folder and
the CSR file:
Note :
The CSR file is uploaded by you or generated online by the system when you apply for the certificate and is
provided to the CA. It is irrelevant to the installation.
If you selected Paste CSR when applying for the SSL certificate or purchased the SSL certificate from
Wotrus, the option to download the Tomcat certificate file is not provided. Instead, you need to manually
convert the format to generate a keystore by using the conversion tool.
If the Tomcat certificate file is not provided, upload the certificate and private key files in the Nginx folder
to the conversion tool, enter the keystore password, and click Submit to convert the certificate to a .jks
certificate.
2. Log in to the server and create a folder. For example, temp in the C drive.
3. Decompress the certificate and password files and upload them to the temp folder.
4. Log in to the WebLogic Server Administration Console (default address:
http://localhost:7001/console ) by entering your username and password.
5. Choose Domain Configurations -> Servers.
7. On the configuration management page for AdminiServer , select SSL Listening Port Enabled, set SSL
Listening Port to 443 , and click Save.
8. On the configuration management page for AdminiServer , click the Keystores tab, set the parameters, and
click Save.
Note :
Custom Identity Keystore Passphrase and Confirm Custom Identity Keystore Passphrase are left
empty by default and can be set to your JKS password. The settings of these 2 parameters do not affect the
use of your certificate.
9. On the configuration management page for AdminiServer , click the SSL tab, set the parameters, and click
Save.
Note :
For WebLogic 10.3.6-12c, select JSSE in the advanced settings area on the SSL settings page.
WebLogic versions earlier than 10.3.6 do not support SHA2 certificates. Please upgrade and try again.
0. Click Save after modifying the necessary information. The modifications are automatically activated, eliminating the
need for restart.
1. Access https://cloud.tencent.com .